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Abstract 



We study two group theoretic problems, Group Intersection and Double 
CosET Membership, in the setting of black-box groups, where Double Coset Mem- 
bership generalizes a set of problems, including Group Membership, Group Fac- 
torization, and Coset Intersection. No polynomial-time classical algorithms are 
known for these problems. We show that for solvable groups, there exist efficient quan- 
tum algorithms for GROUP INTERSECTION if one of the underlying solvable groups has 
a smoothly solvable commutator subgroup, and for Double Coset Membership if 
one of the underlying solvable groups is smoothly solvable. We also study the decision 
versions of Stabilizer and Orbit Coset, which generahzes Group Intersection 
and Double Coset Membership, respectively. We show that they reduce to Or- 
bit Superposition under certain conditions. Finally, we show that Double Coset 
Membership and Double Coset Nonmembership have zero knowledge proof sys- 
tems. 

1 Introduction 

This paper makes progress in finding connections between quantum computation and com- 
putational group theory. We give results about quantum algorithms and reductions for 
group theoretic problems, concentrating mostly on solvable groups. These results come in 
three sections. First, we concentrate on two particular group theoretic problems. Group 
Intersection and Double Coset Membership, showing that these problems reduce to 
other group problems with known efficient quantum algorithms for many instances, yielding 
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Figure 1: Known reducibilities between various group theoretic problems. Thick hues rep- 
resent nontrivial reducibihties shown in the current work. 



efficient quantum algorithms for GROUP Intersection and Double Coset Member- 
ship on the same types of groups. Second, we generalize and refine our results in the ffist 
section by introducing decision versions of the Stabilizer and Orbit Coset problems 
(see IFIM+03 J). and showing that these new problems lie in between Group Intersection 
and Double Coset Membership on the one hand, and the problem Orbit Superposi- 
tion, defined in |FIM+03j . on the other. Third, we relate our results on Double Coset 
Membership to recent work of Aharonov & Ta-Shma |ATS03j by showing that Double 
Coset Membership and its complement have perfect zero knowledge proofs. Our results 
and other known reducibility relationships between these and other various group theoretic 
problems are summarized in Figure ^ A common theme running through all three sections 
is the surprising usefulness of producing certain uniform quantum superpositions. 

Many problems that have quantum algorithms exponentially faster than the best known 
classical algorithms turn out to be special cases of the Hidden Subgroup problem (HSP) for 
abelian groups, which can be solved using the Quantum Fourier Transform |Mos99l iJozOOj . 
Other interesting problems, such as Graph Isomorphism are special cases of general Hid- 
den Subgroup, for which no efficient quantum algorithm is currently known. The idea 
that underlying algebraic structures may be essential for problems having exponential quan- 
tum speedup has prompted several researchers to study problems in computational group 
theory. Watrous |Wat01j first constructed efficient quantum algorithms for several problems 
on solvable groups, such as Order Verification and Group Membership. Based on 
an algorithm of Beals and Babai |BB93j . Ivanyos, Magniez, and Santha |lMS01j obtained 
efficient quantum algorithms for ORDER VERIFICATION as well as several other group theo- 
retic problems. Recently, Friedl et al. |iFIM"'"03j introduced the problems Stabilizer, Orbit 
Coset, and Orbit Superposition, and showed that these problems can be solved effi- 
ciently on quantum computers if the underlying groups satisfy certain stronger solvability 
criteria. 

Watrous asked in |Wat01j whether there are efficient quantum algorithms for problems 
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such as Group Intersection and Coset Intersection. We show that for solvable 
groups, there are efficient quantum algorithms for GROUP Intersection and Double 
Coset Membership (which generalizes Coset Intersection as well as Group Mem- 
bership and Group Factorization) under certain conditions. We obtain these results 
by showing that these two problems reduce to Stabilizer and Orbit Coset, respectively. 

One key component in our proof is the construction of approximately uniform quantum 
superpositions over elements of a given solvable group, which is a very useful byproduct of 
|Wat01j . In classical computational group theory, the ability to sample group elements uni- 
formly at random is very useful in designing many classical group algorithms. We believe that 
its quantum analog — uniform quantum superpositions over group elements — will continue to 
be useful in designing quantum group algorithms. Our results also imply that for ahelian 
groups. Group Intersection and Double Coset Membership are in the complexity 
class BQP, which yields a new proof that they are low for the class PP |AV97[ IFR QQ]. 

We observe that in the reduction from Group Intersection (respectively Double 
Coset Membership) to Stabilizer (respectively Orbit Coset), we don't actually need 
the full power of Stabilizer or Orbit Coset. This inspires us to study simplified versions 
of these two problems. Here we use Stabilizer/) and Orbit CoseT/j to denote the decision 
versions of these two problems, where we are only interested in a trivial/non-trivial answer. 
We show that the difficulty of Stabilizer^:) and Orbit Coset^ may reside in constructions 
of certain uniform quantum superpositions, which can be achieved by the problem Orbit 
Superposition. In particular, we show that for solvable groups. Stabilizer/^ reduces 
to Orbit Superposition, and for any finite groups. Orbit Cosetd reduces to Orbit 
Superposition in bounded-error quantum polynomial time. This again reinforces our 
idea that certain uniform quantum superpositions are key components in quantum group 
algorithms. 

A recent paper by Aharonov and Ta-Shma |ATS03j shares a similar point of view. They 
studied the problem Circuit Quantum Sampling (CQS), which basically concerns gen- 
erating quantum states corresponding to classical probability distributions. Furthermore, 
they showed interesting connections between CQS and many different areas such as Statis- 
tical Zero Knowledge (SZK) and adiabatic evolution. In particular, they showed that any 
language in SZK can be reduced to a family of instances of CQS. Inspired by this, we obtain 
connections between our group theoretic problems and the complexity class SZK. We show 
that Double Coset Membership has a zero knowledge proof system, therefore it is in 
SZK. This is an improvement of Babai's result |iBab92^ that Double Coset Membership 
is in AM fl coAM. We also give an explicit zero knowledge proof system for the comple- 
ment of Double Coset Membership, namely. Double Coset Nonmembership. While 
Watrous |WatOOj showed that Group Nonmembership is in the complexity class QMA, 
another implication of our results is that Group Nonmembership has a zero knowledge 
interactive proof system. 
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2 Preliminaries 



Background on general group theory and quantum computation can be found in the standard 
textbooks pur55. .NCOOj . 



2.1 The Black-Box Group Model 

All of the group theoretic problems discussed in this paper will be studied in the model of 
black-box groups. This model was first introduced by Babai and Szemeredi jBS84j as a gen- 
eral framework for studying algorithmic problems for finite groups. It has been extensively 
studied (see |Wat01j ). Here we will use descriptions similar to those in |AV97j . 

We fix the alphabet S = {0, 1}. A group family is a countable sequence B = {-Bm}m>i of 
finite groups B^, such that there exist polynomials p and q satisfying the following conditions. 
For each m > 1, elements of Bm are encoded as strings (not necessarily unique) in S^*^™-'. The 
group operations (inverse, product and identity testing) of Bm are performed at unit cost by 
black-boxes (or group oracles). The order of Bm is computable in time bounded by g(m), 
for each m. We refer to the groups Bm of a group family and their subgroups (presented 
by generator sets) as black-box groups. Common examples of black-box groups are {Sn}n>i 
where S'„ is the permutation group on n elements, and {GL„(g)}„>i where GLn{q) is the 
group of n X n invertible matrices over the finite field Fg. Depending on whether the group 
elements are uniquely encoded, we have the unique encoding model and non-unique encoding 
model, the latter of which enables us to deal with factor groups [BS84j. In the non- unique 
encoding model an additional group oracle has to be provided to test if two strings represent 
the same group element. Our results will apply only to the unique encoding model. In one 
of our proofs, however, we will use the non-unique encoding model to handle factor groups. 
For how to implement group oracles in the form of quantum circuits, please see |Watnij . 



Definition 2.1 ( [AV97] ) Let B = {Bm}m>i be a group family. Let e denote the identity 
element of each Bm- Let (S) denote the group generated by a set S of elements of Bm. 
Below, g and h denote elements, and Si and S2 subsets, of Bm- 



Group Intersection 
Group Membership 
Group Factorization 
CosET Intersection 
Double Coset Membership 



{(0™,5i,S2)|(5i)n(52)7^(e)}, 

{{0^,Sug)\ge{Si)}, 

{{0'^,SuS2,g)\ge{Si){S2)}, 

{{0"',Si,S2,g)\{Si)gn{S2)^n, 
{{0"^,Si,S2,g,h)\ge{Si)h{S2)}. 



It is easily seen that Double Coset Membership generalizes Group Membership, 
Group Factorization, and Coset Intersection. Therefore in this paper we will focus 
on Double Coset Membership. All our results about Double Coset Membership will 
also apply to Group Membership, Group Factorization, and Coset Intersection. 
(Actually, Coset Intersection and Group Factorization are easily seen to be the 
same problem.) 
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2.2 Solvable Groups 



The commutator subgroup G' of a group G is the subgroup generated by elements g ^gh 
for all g,h e G. We define G*^"^ such that 

= G, 

Q{n) ^ (^("-1))', for n>l. 

G is solvable if G*^"^ is the trivial group {e} for some n. We call G = G*^") > G^^^ > ■ ■ ■ > G*^") = 
{e} the derived series of G, of length n. Note that all the factor groups G^"^^ / G^^^^'^ are 
abelian. There is a randomized procedure that computes the derived series of a given group 
G ^BCF+95j . 

The term smoothly solvable is first introduced in |FIM"'"03] . We say that a family of 
abelian groups is smoothly abelian if each group in the family can be expressed as the 
direct product of a subgroup whose exponent is bounded by a constant and a subgroup 
of poly logarithmic size in the order of the group. A family of solvable groups is smoothly 
solvable if the length of each derived series is bounded by a constant and the family of all 
factor groups G*^*-* / G*^*^^'* is smoothly abelian. 

In designing efficient quantum algorithms for computing the order of a solvable group 
(Order Verification), Watrous |Watnij obtained as a byproduct a method to construct 
approximately uniform quantum superpositions over elements of a given solvable group. 

Theorem 2.2 ([ WatOl] ) In the model of black-box groups with unique encoding, there is 
a quantum algorithm operating as follows (relative to an arbitrary group oracle). Given 
generators gi, . . . ,gm such that G = {gi, . . . , gm) is solvable, the algorithm outputs the order 
of G with probability of error bounded by e in time polynomial in mn + log(l/e) (where n 
is the length of the strings representing the generators). Moreover, the algorithm produces a 
quantum state p that approximates the state \G) = |G|^^/^^^gg \g) with accuracy e (in the 
trace norm metric). 

2.3 Stabilizer, Orbit Coset and Orbit Superposition 

A recent paper by Friedl et al. |FIM"'"03] introduced several problems which are closely related 
to Hidden Subgroup. In particular, they introduced Stabilizer, Hidden Translation, 
Orbit Coset, and Orbit Superposition. Stabilizer generalizes Hidden Subgroup. 
In fact, the only difference between STABILIZER and HIDDEN SUBGROUP is that in the def- 
inition of Stabilizer the function / can be a quantum function that maps group elements 
to mutually orthogonal quantum states with unit norm. Orbit Coset generalizes STABI- 
LIZER and Hidden Translation. Orbit Superposition is a relevant problem, which is 
also of independent interest. The superpositions Watrous constructed in Theorem 12.21 can 
be considered as an instance of Orbit Superposition. 

In the following we will state the problems and results that will be used in this paper. 
We refer interested readers to their paper |FIM"'"03] for detailed information. 
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Let G be a finite group. Let F be a set of mutually orthogonal quantum states. Let 
a : G X r —* r he a group action of G on F, i.e., for every x G G the function a^. : |0) 
\a{x, 10))) is a permutation over F and the map h from G to the symmetric group over F 
defined by h{x) = ax is a homomorphism. We use the notation \x ■ 0) instead of \a{x, 10))), 
when a is clear from the context. We let G(|0)) denote the set {\x ■ (p) : x G G}, and we 
let denote the stabilizer subgroup of |0) in G, i.e., {x E G : \x ■ (f)) = |0)}. Given any 
positive integer t, let a* denote the group action of G on F* = {10)*^* : |0) G F} defined by 
a^{x, 10)®*) = \x ■ 0)®*. We need a* because the input superpositions cannot be cloned in 
general. 

Definition 2.3 ([FIM+03]) Let G be a finite group and T be a set of mutually orthogonal 
quantum states. Fix the group action a : G x T ^ T. 

• Given generators for G and a quantum states |0) G F, the problem Stabilizer is to 
find a generating set for the subgroup G\^). 

• Given generators for G and two quantum states |0o), |0i) G F, the problem Orbit 
CoSET is to either reject the input if G{\(f)Q)) fl G(|0i)) = or output a generating set 
for G\^^) of size 0(log |G|) and a u E G such that \u ■ 0i) = |0o). 

• Given generators for G and a quantum state |0) G F, the problem Orbit SUPERPO- 
SITION is to construct the uniform superposition 



iG-0) = ^^= y 10'). 



|0'>GG(|0» 

Orbit Coset and Stabilizer can be solved in quantum polynomial time under certain 
stronger solvability criteria. 

Theorem 2.4 ( |FIM"'"03j ) Let G be a smoothly solvable group and let a be a group action 
ofG. When t = (log^^^^ |G|) log(l/e), Orbit Coset can be solved in G for a* in quantum 
time poly{log \G\) log(l/e) with error e. 

Theorem 2.5 r |FIM+03p Let G be a fimte solvable group having a smoothly solvable com- 
mutator subgroup and let a be a group action of G. When t = (log^*-"'^-' |G|) log(l/e), Stabi- 
lizer can solved in G for a* in quantum time poly{\og \G\) log(l/e) with error e. 

Another interesting result in |FIM+03j is that Orbit Superposition reduces to Orbit 
Coset for solvable groups in quantum polynomial time. It is not clear if there is a reduction 
in the reverse direction. 
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2.4 Zero Knowledge Proof Systems 



We use standard notions of interactive proof systems and zero knowledge interactive proof 
systems. Information about zero knowledge systems can be found in a variety of places, 
including Vadlian's Ph.D. thesis |Vad99j . and Goldreich, Micali, & Wigderson |GMW9lj . 

SZK is the class of languages that have statistical zero knowledge proofs. It is known 
that BPP C SZK C AM n coAM and that SZK is closed under complement. SZK does 
not contain any NP-complete language unless the polynomial hierarchy collapses [Va d99] . 



2.5 A Note on Quantum Reductions 

In Sections 0] and El we describe quantum reductions to various problems. Quantum algo- 
rithms for these problems often require several identical copies of a quantum state or unitary 
gate to work to a desired accuracy. Therefore, we will implicitly assume that our reductions 
may be repeated t times, where t is some appropriate parameter polynomial in the input 
size and the logarithm of the desired error bound. 



3 Quantum algorithms 

In this section we report progress on finding quantum algorithms for GROUP INTERSECTION, 
and Double Coset Membership. 

Theorem 3.1 Group Intersection reduces to Stabilizer in bounded- error quantum 
polynomial time if one of the underlying groups is solvable. 

Proof. Given an input (0™, 5*1, 5*2) for Group Intersection, without loss of generality, 
suppose that G = {Si) is an arbitrary finite group and H = {S2) is solvable. By Theo- 
rem |2i21we can construct an approximately uniform superposition \H) = Xl/ie// 1^)' 
For any g E G, let \gH) denote the uniform superposition over left coset gH, i.e., \gH) = 
\H\-^/'^J2hegH 1^)- Let r = {\gH)\g e G}. Note that the quant um states in F are (approx- 
imately) pairwise orthogonal. Define the group action a : G x F ^ F to be that for every 
g E G and every |0) G F, a{g, |0)) = \g(f)). Then the intersection of G and H is exactly the 
subgroup of G that stabilizes the quantum state \H). □ 



Corollary 3.2 Group Intersection over solvable groups can be solved within error e by 
a quantum algorithm that runs in time polynomial in m + log(l/e), where m is the size of 
the input, provided one of the underlying solvable groups has a smoothly solvable commutator 
subgroup. 

Proof. Follows directly from Theorems 13.11 and 12.51 □ 

It is not clear if similar reduction to Stabilizer exists for Double Coset Member- 
ship. However, with the help of certain uniform superpositions. Double Coset Member- 
ship can be nicely put into the framework of Orbit Coset. 
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Theorem 3.3 Double Coset Membership over solvable groups reduces to Orbit Coset 
in bounded- error quantum polynomial time. 



Proof. Given input for Double Coset Membership 5*1, 5*2, g and h, where G = (Si) 
and H = {S2) are solvable groups, first we check if g is an element of G or H. This can be 
done using the quantum algorithm for GROUP MEMBERSHIP in |Wat01j . For example, to 
check if g is an element of G, the algorithm will check if the group {Si,g) is still solvable, 
and in the case that it is solvable compute the order of {Si,g) and check if it is equal to the 
order of G. If g is an element of G or H, quit and output "yes." 

In the case that g is not an element of G or H, we construct the input for Orbit Coset 
as follows. Let T = {\xH)\x G {Si, S2, g, h)}. Define group action a : G x F — > F to be 
a{x, 10)) = \x(f)) for any x G G and |0) G F. Let two input quantum states |0o) and |0i) be 
\gH) and \hH), which can be constructed using Theorem 12.21 It is not hard to check that 
there exists an m G G such that \u ■ (pi) = |0o) if and only ii g & GhH. □ 



Corollary 3.4 Double Coset Membership over solvable groups can be solved within 
error e by a quantum algorithm that runs in time polynomial in m + log(l/e), where m is 
the size of the input, provided one of the underlying groups is smoothly solvable. 

Proof. Given input for DOUBLE Coset Membership 5*1, S2, g and h, suppose that 
G = {Si) is smoothly solvable and H = {S2) is solvable. Let 5*1, \gH), \hH) be the input 
for Orbit Coset, the result follows from Theorem 12.41 If instead H is the one which is 
smoothly solvable, then we modify the input by swapping 5*1 and S2 and using g~^, to 
replace g, h. Note that this modification will not change the final answer. □ 



4 The decision versions of Stabilizer and Orbit Coset 

An interesting observation is that to solve our group theoretic problems, we don't actually 
need the full power of Stabilizer and Orbit Coset. For example, for the problem Group 
Intersection, we care about whether the intersection of the two input groups is trivial 
or non-trivial. We don't ask for a generating set in the case of a non-trivial intersection. 
This inspires us to define and study the decision versions of Stabilizer and Orbit Coset. 
denoted as Stabilizer/) and Orbit Coset^, respectively. 

Definition 4.1 Let G be a finite group and T be a set of pairwise orthogonal quantum states. 
Fix the group action a : G x F ^ F. 

• Given generators for G and a quantum state |0) G F, the problem StABILIZER/j is to 
check if the subgroup G|0) is the trivial subgroup {e}. 

• Given generators for G and two quantum states \4>o), \4>i) G F, the problem Orbit 
Cosetb is to either reject the input z/G(|0o)) H G(|0i)) = or accept the input if 
G(|0o)) = G'(|0i)). 



8 



It is clear that the reductions in Theorem 13.11 and Theorem 13.31 still work if we replace 
Stabilizer (respectively Orbit Coset) with Stabilizer^ (respectively Orbit Cosetz)). 
We remark that although Orbit Coset generalizes Stabilizer, Orbit Coset/j does not 
seem to generalize Stabilizer^). Next we show that the ability of constructing certain 
quantum superpositions will help us to attack these two problems. The problem Orbit 
Superposition provides a way to construct quantum superpositions. In fact, Watrous' 
result in Theorem 12.21 solves a special case of Orbit Superposition, where the group G 
acts on the quantum state of the identity element. 

We will use the following result from |IMS01j : 

Theorem 4.2 ([IMSOlJ) Assume that G is a black-box group given by generators with not 
necessarily unique encoding. Suppose that N is a normal subgroup given as a hidden subgroup 
ofG via the function f . Then the order of the factor group G/N can be computed by quantum 
algorithms in time polynomial in n + v{G/N), where n is the input size and the parameter 
i^{G) is defined in \BB93^ and equals one for any solvable group G. 

Please note that we can apply Theorem 14.21 to factor groups since it uses the non-unique 
encoding black-box groups model. 

Theorem 4.3 Over solvable groups, Stabilizer^) reduces to Orbit Superposition in 

bounded-error quantum polynomial time. 

Proof. Let the solvable group G and quantum state |0) be the input of Stabilizer^. We 
can find in classical polynomial time generators for each element in the derived series of G 
[BCF+QS] . namely, {e} = Gi <■■ = G. For 1 < i < n lei Si = {Gi)\ff,), the stabilizer of 

10) in Gi- By Theorem 12.21 we can compute the orders of Gi, . . . , Gn and thus the order of 
Gi+i/Gi for any 1 < i < n. We will proceed in steps. Suppose that before step z + we know 
that Si = {e}. We want to find out if Si+i = {e} in the {i -f- l)st step. Since Gi < Gj+i, by 
the Second Isomorphism Theorem, GiSi^i/Gi = Si^i. Consider the factor group Gj+i/Gj, 
we will define a function / such that / is constant on Gj^j+i/Gj and distinct on left cosets of 
GiSi+i/Gi in Gj+i/Gj. Then by Theorem 14.21 we can compute the order of the factor group 
Gi+i/Gi over GiSi^i/Gi. The group oracle needed in the non- unique encoding model to test 
if two strings Si and S2 represent the same group elements can be implemented using the 
quantum algorithm for GROUP MEMBERSHIP, namely, testing if s^^S2 is a member of Gj. 
The order of this group is equal to the order of Gj+i/Gj if and only if S'j+i is trivial. 

Here is how we define the function /. Using Gj and |0) as the input for Orbit Superpo- 
sition, we can construct the uniform superposition |Gj ■ 0). Let T be the set {\gGi ■ (j))\g & 
Gj+i}. We define / : Gi+i/Gi ^ F be such that f{gGi) = \gGi-(f)). What is left is to 
verify that / hides the subgroup GiSi^i/Gi in the group Gi^i/Gi. For any g G GjS'j+i, it 
is straightforward to see that \gGi ■ 0) = |Gj ■ 0). li gi and g2 are in the same left coset of 
GiSi+i, then gi = g2g for some g G GjSi+i and thus \giGi ■ 0) = \g2Gi ■ 0). If gi and g2 are 
not in the same left coset of GiSi+i, we will show that \giGi(j)) and |(72Gj0) are orthogonal 
quantum states. Suppose there exists Xi,X2 G Gj such that \giXi ■ (j)) = \g2X2-(p), then 
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Xi'^gi^g2X2 G S'j+i. But x^^g^^g2X2 = x^^x'2gi^g2 for some x'2 G Gj. Thus gi'^g2 G GiSi^i. 
This contradicts the assumption that gi and (72 are not in the same coset of Gj^j+i. 

We need to repeat the above procedure at most 9(fog|G|) times. For each step the 
running time is polynomial in log |G| +log(l/e), for error bound e. So the total running time 
is still polynomial in the input size. □ 



Corollary 4.4 Over solvable groups, Group Intersection reduces to Orbit Superpo- 
sition in bounded-error quantum polynomial time. 

We can also reduce Orbit Coset^:; to Orbit Superposition in quantum polynomial 
time. In this reduction, we don't require the underlying groups to be solvable. The proof 
uses similar techniques that Watrous |WatOOj and Buhrman et al. [BCWdWOlj used to 



differentiate two quantum states. 

Theorem 4.5 Orbit Cosetd reduces to Orbit Superposition in bounded-error quan- 
tum polynomial time. 

Proof. Let the finite group G and two quantum states |02) be the inputs of Or- 

bit CoSET/). Notice that the orbit coset of and 102) are either identical or disjoint, 
which implies the two quantum states \G ■ (pi) and \G ■ ^2) are either identical or orthogo- 
nal. We may then tell which is the case using a version of the swap test of Buhrman et al. 
[BCWdWOT] . 

□ 



Corollary 4.6 Double Coset Membership reduces to Orbit Superposition in bounded- 
error quantum polynomial time. 

5 Statistical Zero Knowledge 

A recent paper by Aharonov and Ta-Shma |ATS03j proposed a new way to generate cer- 
tain quantum states using Adiabatic quantum methods. In particular, they introduced the 
problem CIRCUIT Quantum Sampling (CQS) and its connection to the complexity class 
Statistical Zero Knowledge (SZK). Informally speaking, CQS is to generate quantum states 
corresponding to classical probability distributions obtained from some classical circuits. Al- 
though CQS and Orbit Superposition are different problems, they bear a certain level of 
resemblance. Both problems are concerned about generation of non-trivial quantum states. 
In their paper they showed that any language in SZK can be reduced to a family of in- 
stances of CQS. Based on Theorem 14.31 and Theorem 14.51 We would like to ask if there are 
connections between SZK and our group theoretic problems. As a first step, we show that 
Double Coset Membership has a perfect zero knowledge proof system, and thus is in 
SZK. This is an improvement of Babai's result |,Bab92] that Double Coset Membership 
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is in AM n CO AM. Our proof shares the same flavor with Goldreich, Micah and Wigderson's 
proof that GRAPH Isomorphism is in SZK jGMWQlj . The intuitive idea is to break the 
process into two parts, where the verification of each individual part does not reveal any 
information about the claim. 

The following theorem due to Babai |Bab91j will be used in our proof. Let G be a finite 
group. Let gi, . . . , Qk & G he a sequence of group elements. A subproduct of this sequence 
is an element of the form gl^ ■ ■ ■ gl*", where Cj G {0, 1}. We call a sequence hi, ... .h^ G G 
a sequence of e-uniform Erdos-Renyi generators if every element of G is represented in 
(2'^/|G'|)(l + e) ways as a subproduct of the hi. 

Theorem 5.1 ([BaE9l]) Let c,G > be given constants, and let e = N ^ where N is a 
given upper bound on the order of the group G. There is a Monte Carlo algorithm which, 
given any set of generators ofG, constructs a sequence of 0(\ogN) e-uniform Erdos-Renyi 
generators at a cost o/0((log A^)^) group operations. The probability that the algorithm fails 
is < . If the algorithm succeeds, it permits the construction of e-uniform distributed 
random elements of G at a cost of O {log N) group operations per random element. 

Basically what Theorem 15.11 says is that we can randomly sample elements from G and 
verify the membership of the random sample efficiently. Given a group G and a sequence 
of 0(log A^) e-uniform Erdos-Renyi generators hi, . . . ,hk for G, we say that ei . . . where 
Ci G {0, 1} is a witness of g E G if g = hl^ ... hi'' . 

Theorem 5.2 Double Coset Membership has a perfect zero knowledge proof system. 

Proof, [sketch] Given groups G, H and elements g, h, the prover wants to convince the 
verifier that g = xhy for some x E G and y E H. Fix a sufficiently small e > 0. The protocol 
is as follows. 

(VO) The verifier computes e-uniform Erdos-Renyi generators gi, . . . ,gm and hi, . . . ,hn for 
G and H. The verifier sends the generators to the prover. 

(PI) The provers select x and y, which are random elements from G and H. The prover 
sends z = xgy to the verifier. 

(VI) The verifier chooses at random a Er {0, 1}, and sends a to the prover. 

(P2) If a = 0, then the prover sends x and y to the verifier, together with witnesses that 
X E G and y E H . If a = 1, then the prover sends over x' and y' , together with 
witnesses that x' E G and y' E H. 

(V2) If a = 0, then the verifier verifies that x and y are indeed elements of G and H and 
z = xgy. If a = 1, then the verifier verifies that x' and y' are indeed elements of G 
and H and z = x'hy' . The verifier stops and rejects if any of the verifications fails. 
Otherwise, he repeats steps from (PI) to (V2). 
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If the verifier has completed m iterations of the above steps, then he accepts. 

It is not hard to verify that this is a perfect zero knowledge proof system. We omit the 
formal proof due to lack of space. □ 



Since SZK is closed under complement, the complement of Double Coset Member- 
ship, Double Coset Nonmembership, is also in SZK. In fact, by adapting proofs in 
)GMW9l] . we can give explicitly a perfect zero knowledge proof system for Double Coset 
Nonmembership. 

Theorem 5.3 Double Coset Nonmembership has a perfect zero knowledge proof sys- 
tem. 

Proof, [sketch] A simple interactive proof system for DOUBLE CosET Nonmembership is 
as follows. Given G, H and (7, h as inputs, the prover wants to convince the verifier that g is 
not in the double coset GhH. The verifier will generate random elements x G G and y E H , 
and then flip a random coin and send either xgy or xhy to the prover. The prover has to 
tell correctly which one the verifier sends. After several rounds, the verifier is convinced. 
This protocol is not zero knowledge since a cheating verifier can use the protocol to gain 
knowledge such as whether an element z is in the double coset GgH . The way to fix this 
fiaw is to let the verifier first "prove" to the prover that he knows the answer of his own 
question. 

For the sake of simplicity, let n denote the input size. Given groups G, H and elements 
5^, /i, the prover wants to convince the verifier that g is not in the double coset GhH. Before 
the protocol starts, the verifier will compute e- uniform Erdos-Renyi generators gi, . . . ,gm 
and hi, . . . ,hn for G and H for a sufficiently small e, and send them to the prover. 

The following protocol will be executed m times, each time using independent random 
coin tosses. 

(VI) The verifier computes random elements x G G and y E H using the Erdos-Renyi 
generators, and chooses at random a Gj? {0, 1}. If a = 0, he computes z = xgy. 
If a = 1, he computes z = xhy. The element z will be called the question. In 
addition to z, the verifier constructs pairs of group elements such that each pair 
consists of one random element of GgH and one random element of GhH. The two 
elements in each pair are placed at random order. These pairs will be used by the 
prover to test whether the verifier is cheating. In specific, for each 1 < i < n"^, the 
verifier constructs the z'th pair (Tj 0,^41) as follows. He computes random elements 
Xifi,Xi^i G G and yifl,yi^i G H, and chooses at random a bit 7^ Er {0,1}. Then he 
computes Tj^^. = Xi^^^gyi^^^ and Tj^i_^^ = Xi^i-^.gyi^i^-y^. The verifier sends z and the 
sequence of pairs (Ti^, Ti^i), . . . , (r„2 g, T„2 1) to the prover. 

(PI) The prover chooses at random a subset / C {l,...,n^} (uniformly among all 2"^ 
subsets) and sends I to the verifier. 
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(V2) If I is not a subset of {1, . . . ,n^}, then the verifier halts and rejects. Otherwise, the 
verifier rephes with {(7^, Xj,o, ?/i,o, : ^ e /} and G {0,1}, e G,bi e 
H) such that z = aiTi^afii : i ^ I}. Intuitively, for i ^ I the verifier shows that the 
i'th pair is properly constructed by giving explicitly (7i, Xj^o, a^i,!, J/i.o, ^ ^ 

the verifier shows that z is also properly constructed by showing that z is in the same 
double coset with one of the elements in the i'th pair, (a^, a^, bi) can be easily computed 
by the verifier, i.e., aj = (a + 7^) mod 2, = xx~l^, and hi = y^ajj- 

(P2) For every i G /, the prover checks whether Xj^o; ^i^i (respectively yi^, are indeed el- 
ements of G (respectively if), and whether Tj^-^. = Xi^^^gyi^.^. and Ti i_^^ = Xi^i^^.gyij^^^ 
hold. For every i ^ I, the prover checks whether (respectively bi) is indeed an ele- 
ment of G (respectively H), and whether z = QiTi^afii holds. If any of these conditions 
does not hold, the prover stops. Otherwise, the prover answers with j3 G {0, 1}. 

(V3) The verifier checks whether a = (3. If the condition is violated, the verifier stops and 
rejects; otherwise, he continues. 

After m rounds of successful iterations, the verifier accepts. 

This is still an interactive proof system for Double Coset Nonmembership. If g is 
not in the double coset GhH, then GgH and GhH are disjoint sets and the prover will always 
succeed in convincing the verifier. If, on the other hand, g is in the double coset GhH, then 
GgH and GhH are the same set and with probability at least a half the prover will fail to 
fool the verifier. 

To prove that this protocol is zero knowledge, the simulator has to produce the same 
probability distribution without interacting with the prover. What the simulator does is 
to extract from the verifier the knowledge he has about his question. We omit the formal 
proof here. We note that the formal proof is similar in principle to the proof that Graph 
NONISOMORPHISM has a zero knowledge proof system |GMW9l] . based on which and the 
above protocol interested readers are able to construct the formal proof. □ 

Although Group Intersection is also known to be in AM fi coAM [ Bab92j , it is not 
clear whether Group Intersection has a zero knowledge proof system. This seems to be 
consistent with the fact that we have not found a reduction from Group Intersection to 
Orbit Superposition over arbitrary finite groups fCorollarv 14. 4p . 
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